Data Processing Agreement (DPA)
This document is the Data Processing Agreement between your organization (data controller) and Alquilr (data processor), pursuant to Article 28 of the GDPR. It applies automatically to all customers processing personal data of EU residents through Alquilr.
Last updated: 1 de junio de 2026
1. Subject
Alquilr processes personal data on behalf of the customer with the sole purpose of providing the contracted service. The scope, nature, and purpose of processing are described in the Terms of Service and Privacy Policy.
2. Types of data
Alquilr may process: (a) identifying data of tenants, owners, and contacts (name, ID, address, email, phone); (b) financial data (rent, deposits, receipts); (c) platform usage data. Special categories of data (health, ideology, etc.) are not processed unless the customer voluntarily enters them, in which case it's the customer's responsibility to have obtained adequate consent.
3. Alquilr's obligations
Alquilr undertakes to: (a) process data only for the service purpose; (b) ensure staff confidentiality; (c) implement the technical and organizational measures described in Annex I; (d) notify the customer of any security breach in under 48 hours; (e) help the customer fulfill data subject rights; (f) make available to the customer all information necessary to demonstrate compliance.
4. Sub-processors
Alquilr uses the sub-processors listed at alquilr.com/privacy/subprocessors. Any significant change (addition or replacement) will be communicated to the customer at least 30 days in advance, giving them the opportunity to object on grounded grounds.
5. International transfers
Data is processed in the European Economic Area. If a sub-processor requires a transfer outside the EEA, Alquilr ensures a valid legal basis exists (adequacy decision, EU Standard Contractual Clauses, or Binding Corporate Rules).
6. Security measures
Technical and organizational measures implemented include: (a) TLS 1.3 encryption in transit; (b) AES-256 encryption at rest; (c) multi-factor authentication available; (d) network segmentation; (e) encrypted daily backups; (f) role-based access controls; (g) immutable audit log; (h) annual penetration tests by independent third party; (i) staff training on data protection.
7. Audit
The customer may request one audit per year of the security measures, with 30 days notice. Alquilr may replace the on-site audit with: (a) independent audit reports (SOC 2, ISO 27001 when available); (b) response to a detailed questionnaire. The customer bears the audit cost unless non-compliance is demonstrated.
8. Return and deletion
Upon termination of the service, Alquilr will return to the customer all personal data in a standard format (CSV/JSON) or delete it, at the customer's choice. Deletion will be completed within 90 days, unless the law requires retention.
9. Liability
Each party is liable for damages caused by breach of its data protection obligations. Alquilr's total liability under this DPA is governed by the limits set in the Terms of Service, except for willful misconduct or gross negligence.
10. Governing law
This DPA is governed by the GDPR and by the Spanish law on personal data protection and digital rights (LOPDGDD).
Documentos relacionados